If you can’t provision a good hiding place for your hardware wallet seed phrase… maybe you don’t need to back it up in the first place. (Use multiple wallets plus pin instead)

Hiding stuff is hard. Too easy, and an attacker can find it. Too hard, and you may wind up hiding it from yourself. Or from the people that should inherit if you die.

This is the dilemma of people who hold their bitcoin in hardware (HW) wallets, where the ultimate backup is the seed phrase. For the purposes of this article, we are talking about bip39 compatible HW wallets, of which the two top contenders are the Trezor and the Ledger Wallet.

From conversation with large bitcoin holders, I think there is a population of users that would like to be “in control” of their crypto assets, but is uncomfortable with the idea of hiding the seed phrase in the event of an ultimate failure scenario.

The obvious thing is to hide the seed phrase in a safe deposit box.


1) bank safe deposit boxes are starting to become hard to come by (long waiting lists)
2) maybe you don’t trust the bank

Here’s a thought.

If you

  • want quick access to high value bitcoin wallet
  • are bad at hiding things (can’t keep seed phrase safe)
  • are bad at, or too lazy for, high paranoia computer security (no offline computer, no live cd boot)
  • don’t trust your bank — or the government — not to swipe your bitcoin

The following is a solution such that you don’t need to keep the seed phrase backed up *anywhere*.

The trick is, instead of backing up the seed phrase, you set up multiple HW wallets with the same seed phrase, and then destroy the seed phrase.  Keep main wallet handy, backup wallets in car, office, and give a few other backups to friends for safe keeping.  Friends can’t do anything with just the wallet, they need second factors (pin code for trezor, plastic card with long code for ledgerwallet).

Keep the second factor(s) somewhere safe yet obvious — and separate from hardware wallet — in case you have a head injury or something and forget the pin, or you die and your heir needs to dig up the bitcoin. Ideally a safe deposit box. Even if bank employees are crooked, they can’t access coins with just the second factor but no HW.  Safe deposit box should be accessible by heirs if you die.  An easy, no-lawyers, hacky way to do this is to have joint account for box but keep both keys.  Your heir will have to drill the box to recover pin code if you die.  An evil heir could have box drilled without your permission… so don’t have an evil heir.

Now, a few words about second factors. Trezor wallet second factor is a pin, which can be memorized.  Ledger wallet second factor is a long code printed on a plastic card, which really can’t be memorized unless you take up some strange hobbies.  Trezor can get away with the simpler second factor because it has a built in screen.  So all things being equal, Trezor is more convenient.  But all things aren’t equal, because Trezor is about $100 and you can get ten el-cheapo hw.1 Ledger wallets for the same price.

To keep costs down but security high, you could use Trezor as primary wallet and Ledger as backup.  Since both HW wallets use bip39, their word lists are compatible. You will need ledger starter bootable usb to reset the seed on the ledgers, which is a little more work, but not a deal breaker.  Keep all second factors in the bank box — both Trezor pin, and all Ledger security cards. For the Ledger wallets, take care to clearly label which device is paired to which card. Or if money is no object, I would just use Trezor for all backup HW wallets, using same pin for every device.

If all HW wallets are destroyed the coin is gone, but then again if the seed phrase is forgotten or destroyed, same thing. Hardware does wear out, so you need to set a calendar item to test hardware every six months or so, and replace all wallets every couple years. This involves moving coins to new seed phrase, since you don’t have old phrase any more.

A superficially similar, but inferior, approach would be to write down the seed phrase and keep several copies of it distributed among your friends, but use a (memorizable) supplementary pass phrase on top of this, and keep a backup of the pass phrase in the safe deposit box. (Note that supplementary pass phrase is Trezor only.  Ledger does not currently support this feature of the bip39 spec.)

I don’t like this though.

The main advantage is cost.  Paper wallets among your friends, and a pass phrase in the safe deposit box, saves you from having to buy multiple HW wallets.

But, it’s a lot less safe.

  1. with the hardware backups you retain the ability to move bitcoin immediately if the main wallet stops working.  My thinking is that with seed phrase backup only, one might panic and enter the seed phrase on an unsafe machine, rather than wait for new hardware to arrive in the mail.
  2. supplemental pass phrase can be stolen on compromised computer, whereas second factors cannot.  Pin number is scrambled on trezor screen, and the Ledger security card is just additional entropy that is paired with the device (nothing for hacker to sniff).

So with seed + pass phrase, the attack is merely stealing one of the backup seed phrases (or betrayal by friend) plus stealing the supplemental phrase by bugging the owner’s laptop.  Pin number which is stored only in owner’s head plus very secure place (like safe deposit) is much, much safer than supplemental pass phrase.

To summarize it all, you can keep bitcoin safe on a hardware wallet plus a few backups, without storing the seed phrase anywhere.  If you are bad at hiding things, but don’t mind a bit more work at setup time, plus more work testing HW wallets and moving to new wallets periodically, this might be a good way to keep your bitcoin safe. Or at least keep your peace of mind that no one has gotten to the seed phrase. Trezor as main wallet keeps things convenient — just need to memorize a pin code. Handful of Ledger HW.1 backup wallets with same seed saves on costs.

Keep calm and bitcoin on!

UPDATE: One potential flaw is that you are not guaranteed access to coins on forks if you don’t have the secret. In the case of BCH both trezor and ledger did support the fork without seed phrase, but this is a case by case thing. (More comments below.)




About thomashartman1

I am a crypto currency enthusiast, trader, and software developer. Contact: thomas AT standardcrypto DOT com.
This entry was posted in Uncategorized. Bookmark the permalink.

5 Responses to If you can’t provision a good hiding place for your hardware wallet seed phrase… maybe you don’t need to back it up in the first place. (Use multiple wallets plus pin instead)

  1. Michael says:

    I actually arrived at a similar version of this setup. I use two ledger nano s hardware wallets with the same pin stored in separate locations; I destroyed the seed after restoring the second Ledger with the first ledgers seed phrase. I was never comfortable with seed word overriding everything including hardware or pins; seems like a huge weakness to the security aspects. Anyway, with upcoming Bitcoin fork I am wondering if the seed word is now required to claim a forked coin. I am considering whether I should wipe one of the ledgers and setup as new device recording the seed phrase and transfer Bitcoin from the other ledger to this newly setup ledger before any fork?

    • thomashartman1 says:

      The seed word is required if the hardware / software on the wallet that you have set up does not support the fork — and another wallet does suport this, and you want to access coins there. In the case of ledger nano you are probably safe. However, it’s worth considering moving coins to a new wallet where you do have the seed, if you think there is going to be a lot of value trapped in a fork that you will be wanting to access.

      • Michael says:

        Thanks for the reply. Forks are exactly why I got to thinking about the absence of the seed as you mentioned. I have done some disaster recovery practice with Ledger seed and was able to easily restore BTC/ETH/LTC wallets without the hardware BUT for ARK this is not possible using a passphrase, you must restore on a ledger hardware – not ideal and this is a ‘supported’ coin! So it is highly likely that at some forking time in the future that the seed will be required to access splits which will be a headache. Once the seed is entered anywhere online to access the unsupported coin it leaves all other addresses derived from this seed (your entire ledger wallets) compromised and should be moved to a new seed/wallet.

    • thomashartman1 says:

      I’m replying here because wordpress won’t let me reply to your other comment. (no idea.)

      Anyway good point. I added a warning to read the comments. But for high value forks, ledger and trezor both have a pretty good reputation for allowing access to fork coins without the seed phrase. Like with everything else in crypto, YMMV.

      I think some people are genuinely neurotic about backing up a secret on paper, so this is just one more way to reduce fears of the learning curve with bitcoin. I think most hodlers would be ok missing out on profits from (I assume) minor forks like ARK — which I have never heard of. What was ARK trading at, percentage terms, that you could realistically get, just out of curiosity?

  2. rk says:

    Be careful about potential differences between Trezor and Ledger in HD Derivation paths used for specific currencies. e.g. I think Trezor uses the common m/44’/61’/0’/0 for ETC but Ledger uses m/44’/60’/160720’/0’/. Couldn’t that lead to your Ethereum Classic coins not showing up on one of them?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s